Scrub tracked secrets and switch ATVM docs to local credential references

- remove hardcoded credentials, tokens, registration codes, and similar secret values from tracked ATVM and CDS MCP docs
- replace those values with references to /home/aw/code/cds/.env.credentials.local and the corresponding environment variable names
- update current operator guides to instruct sourcing .env.credentials.local before credential-dependent setup and automation workflows
- update the ATVM setup scripts to consume ATVM_TARGET_PASSWORD from the environment instead of hardcoding the Ubuntu root SSH password
- scrub the remaining tracked artifact log entry that still included the old CMC registration code
- keep the local-only credential inventory in .env.credentials.local while leaving that file untracked

atvm/AGENTS.md

@@ -36,16 +36,16 @@ This file defines how to operate and maintain the ATVM workspace in `/home/aw/co
 - ATVM static IP target: `192.168.3.191/22`
 - Gateway: `192.168.0.1`
 - DNS: `8.8.8.8`, `8.8.4.4`
-- Default setup credential: `root / cdsi2012`
+- Default setup credential source: `/home/aw/code/cds/.env.credentials.local` via `ATVM_TARGET_USER` and `ATVM_TARGET_PASSWORD`
 - Client log file: `atvm_setup_script.log`
 - Treat `192.168.3.191` as the default ATVM target host reference.
 - For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
-- For SSH to `192.168.3.191`, use default credentials `root / cdsi2012` unless explicitly overridden.
+- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless explicitly overridden.
 
 ## Automation Track Defaults
 - Controller host: `atvm-cypres-vm-1`
 - Controller IP: `192.168.3.190`
-- Controller credentials: `root / atvmcdsi2012`
+- Controller credential source: `/home/aw/code/cds/.env.credentials.local` via `ATVM_CONTROLLER_USER` and `ATVM_CONTROLLER_PASSWORD`
 - Detailed test artifact root on controller: `/root/cdc-e2e-cyp-12.17.4/cypress/cmcReporter`
 - Default Mattermost status destination config: `/home/aw/code/cds/.env.credentials.local`
 - Default plugin: `--use_specified_plugin iscsi`

atvm/archive/imported-notes/cypress-automation-for-cmc.md

@@ -1,5 +1,8 @@
 # Cypress Automation for CMC
 
+Credentials, tokens, webhooks, and registration codes were scrubbed from this tracked archive.
+Use `/home/aw/code/cds/.env.credentials.local` for the local-only values referenced below.
+
 # Summary
 
 This document outlines the equipement, hardware, vm inventory and any tips to configure the vms for the cmc cypress automation.  The vms were initially configured manually but as of 2026, are now being configured via AI tools to make configuration more automated and efficient.  The 
@@ -10,7 +13,7 @@ This document outlines the equipement, hardware, vm inventory and any tips to co
 ## __Storage Array/Appliance__
 
 
-1. Primary DGS Phoenix Server: 192.168.1.172  (Web GUI login: **admin** / **cdsi2012DGS172**)
+1. Primary DGS Phoenix Server: 192.168.1.172  (Web GUI login: **DGS_PRIMARY_USER** / **DGS_PRIMARY_PASSWORD** from `.env.credentials.local`)
 
    ***Note:*** For SSH login, use **root** and the password needs to be obtained from <https://callcenter.cdsi.us.com/main/phoenix/>
 
@@ -30,17 +33,17 @@ This document outlines the equipement, hardware, vm inventory and any tips to co
 ### vSphere vCenter Environment 1
 
 
-1. vCenter Server Appliance: 192.168.0.201  (vSphere login: **administrator@qalab.cdsi.local** / **CDSi101!**)
+1. vCenter Server Appliance: 192.168.0.201  (vSphere login: **VCENTER_USER** / **VCENTER_PASSWORD** from `.env.credentials.local`)
 
-   ***Note:*** For SSH login, **administrator@qalab.cdsi.local** / **CDSi101!** (can also use **root** with the same password?)
+   ***Note:*** For SSH login, use **VCENTER_USER** / **VCENTER_PASSWORD** from `.env.credentials.local` (or the equivalent root credential if still valid).
 
    
-   1. ESX Server 165: 192.168.1.165 (ssh: root / CDSi101! / IPMI: admin / cdsi2012) - License: 1Y2RU-DWK14-H81E0-UH8Z6-0Y2J4
+   1. ESX Server 165: 192.168.1.165 (ssh: **ESXI_HOST_1_USER** / **ESXI_HOST_1_PASSWORD**; IPMI: **ESXI_HOST_1_IPMI_USER** / **ESXI_HOST_1_IPMI_PASSWORD** from `.env.credentials.local`) - License: 1Y2RU-DWK14-H81E0-UH8Z6-0Y2J4
 
       
       1. VMware ESXi, 7.0.3, 19193900
       2. Assigned AutomatedTest-VMBootImg-Gold (3 TB)
-   2. ESX Server 166: 192.168.1.166 (ssh: root / CDSi101! / IPMI: admin / cdsi2012) - License: 1Y2RU-DWK14-H81E0-UH8Z6-0Y2J4
+   2. ESX Server 166: 192.168.1.166 (ssh: **ESXI_HOST_2_USER** / **ESXI_HOST_2_PASSWORD**; IPMI: **ESXI_HOST_2_IPMI_USER** / **ESXI_HOST_2_IPMI_PASSWORD** from `.env.credentials.local`) - License: 1Y2RU-DWK14-H81E0-UH8Z6-0Y2J4
 
       
       1. VMware ESXi, 7.0.3, 19193900
@@ -50,23 +53,23 @@ This document outlines the equipement, hardware, vm inventory and any tips to co
 ### ==OLD vSphere vCenter Environment==
 
 
-1. ==vCenter Server Appliance: 192.168.0.200  (vSphere login: **administrator@qa.cdsi.local** / **CDSi101!**)==
+1. ==vCenter Server Appliance: 192.168.0.200  (vSphere login: **LEGACY_VCENTER_USER** / **LEGACY_VCENTER_PASSWORD** from `.env.credentials.local`)==
 
-   ***==Note:==*** ==For SSH login, use **root** with the same password==
+   ***==Note:==*** ==For SSH login, use the matching legacy vCenter credential from `.env.credentials.local`==
 
    ==\[VM name: **CDS1-VSCA6.7-200**.    Location: ESXi 6.0.0, 192.168.0.43, root/CDSi101\]== 
 
    \
-2. ==ESXi Server **CDS1-H011**: 192.168.1.11  (SSH login: **root** / **cdsi2012**)==
+2. ==ESXi Server **CDS1-H011**: 192.168.1.11  (SSH login: **LEGACY_ESXI_H011_USER** / **LEGACY_ESXI_H011_PASSWORD** from `.env.credentials.local`)==
 
-   ==iDRAC: 192.168.2.11  (login: **admin** / **cdsi2012**)==
+   ==iDRAC: 192.168.2.11  (login: **LEGACY_ESXI_H011_IDRAC_USER** / **LEGACY_ESXI_H011_IDRAC_PASSWORD** from `.env.credentials.local`)==
 
    ==S/W: ESXi 6.5.x.    H/W: Dell R720, 160 GB RAM, 18 x 8Gb FC HBA Ports (*14* passthrough-enabled)== 
 
    \
-3. ==ESXi Server **CDS1-H018**: 192.168.1.18  (SSH login: **root**/**CDSi2012**)==
+3. ==ESXi Server **CDS1-H018**: 192.168.1.18  (SSH login: **LEGACY_ESXI_H018_USER** / **LEGACY_ESXI_H018_PASSWORD** from `.env.credentials.local`)==
 
-   ==iDRAC: 192.168.2.18  (login: **admin** / **cdsi2012**)==
+   ==iDRAC: 192.168.2.18  (login: **LEGACY_ESXI_H018_IDRAC_USER** / **LEGACY_ESXI_H018_IDRAC_PASSWORD** from `.env.credentials.local`)==
 
    ==S/W: ESXi 6.7.x.    H/W: Dell R720, 192 GB RAM, 12 x 8Gb FC HBA Ports (*8* passthrough-enabled)== 
 
@@ -76,7 +79,7 @@ This document outlines the equipement, hardware, vm inventory and any tips to co
 Used to run cypress script and to initiate other scripts related to the automation testing process.
 
 
-1.  atvm-cypress-vm: 192.168.3.190 (ip); 255.255.252.0 (broadcast); 192.168.0.1 (gateway) -  (ssh and RDP login: root / atvmcdsi2012 ; cypressuser / atvmcypress)
+1.  atvm-cypress-vm: 192.168.3.190 (ip); 255.255.252.0 (broadcast); 192.168.0.1 (gateway) -  (ssh and RDP login: **ATVM_CONTROLLER_USER** / **ATVM_CONTROLLER_PASSWORD** ; **ATVM_CONTROLLER_ALT_USER** / **ATVM_CONTROLLER_ALT_PASSWORD** from `.env.credentials.local`)
 
 Located on AutomatedTest-Cypress
 
@@ -89,7 +92,7 @@ Memory 64GB
 Disk Space: 128GB
 
 
-2. atvm-cypress-vm-1: 192.168.3.190 (ip); 255.255.252.0 (broadcast); 192.168.0.1 (gateway) -  (ssh and RDP login: root / atvmcdsi2012 ; cypressuser / atvmcypress)
+2. atvm-cypress-vm-1: 192.168.3.190 (ip); 255.255.252.0 (broadcast); 192.168.0.1 (gateway) -  (ssh and RDP login: **ATVM_CONTROLLER_USER** / **ATVM_CONTROLLER_PASSWORD** ; **ATVM_CONTROLLER_ALT_USER** / **ATVM_CONTROLLER_ALT_PASSWORD** from `.env.credentials.local`)
 
 Located on AutomatedTest-Cypress
 
@@ -107,7 +110,7 @@ Disk Space: 128GB
 VM used to host offline DVD Linux Repository.  This will not be mirrorred or updated.  It is purely created for internal purposes to help create and configure the atvm clients (especially RHEL).  Created and provided AS IS. ==\[As of 08/28/2024 - Looks like you can use the free account to link to the RedHat repositories to install and update the system.  Tried it for Redhat9.4.  Redhat9.4+ probably won't have Full DVD ISO's (only boot ISOs).  May not need the offline DVD repository but I have not updated the previous OS versions\].  SEE REDHAT FREE ACCOUNT SUBSCRIPTION SECTION OF THIS DOCUMENT.==
 
 
-1. linux-repo-vm: 192.168.3.199 (ssh login: root / cdsi2012)
+1. linux-repo-vm: 192.168.3.199 (ssh login: **ATVM_REPO_USER** / **ATVM_REPO_PASSWORD** from `.env.credentials.local`)
 
 Located on Internal-DVD-Offline-Linux-Repository
 
@@ -140,13 +143,13 @@ This account is specifically used for the CMC automation test environment.  The
 1. **User:** qatest.atvm@cirrusdata.com (alias email currently linked with anthony.wen@cirrusdata.com. (Ask administrator to switch alias to whoever takes over this environment).  This is used to run through the automation.
 
    \
-   **Password:** fEMQ9N4KEfYyFnS
+   **Password:** `CMC_TEST_PASSWORD` from `.env.credentials.local`
 
    \
-   **2FA Registration Code:** C7FIIZV6SGZ67XGATFN7YQHEJI6BHGPL
+   **2FA Registration Code:** `CMC_TEST_TOTP_SECRET` from `.env.credentials.local`
 
    \
-   **CMC API Token:** lNSrdRkqJWJlxierQTcoIiZppmORigyZiXQsHhGiJtmnGKCGAJTwMpRsqKSLgKdSHTXDpYPtPyszDZTvOvGEoXuBZFdkTkxyvNTlSxYKLsBcEpTbRkRQkQppdwBhaUyauPZxolHmOTeZOVIAZCnyGBTQjVxsSaaJXwaguIgeFbYctONcCBhayNTruJOtYJGYbLBESrRkDMuHZBCpZoMeKgeNjifqdROMYhKCyUFhVhaOvFSWizFNlQZYRInscFw
+   **CMC API Token:** `CIRRUS_API_TOKEN` from `.env.credentials.local`
 
    \
    **ATVM Xray locations for failed tests:** ../cdc-e2e/cypress/cmcXray
@@ -155,15 +158,15 @@ This account is specifically used for the CMC automation test environment.  The
 2. **User:** qatestuser.atvm@cirrusdata.com (alias email currently linked with anthony.wen@cirrusdata.com).  (Ask administrator to switch alias to whoever takes over this environment).  This is used to test user administration with the automation scripts.
 
    \
-   **Password:** fEMQ9N4KEfYyFnS#1
+   **Password:** `CMC_USERADMIN_TEST_PASSWORD` from `.env.credentials.local`
 
    \
-   **2FA Registration Code:** WQ6F6NIDSIY57BLHMTTVBMIXZI44G5F7
+   **2FA Registration Code:** `CMC_USERADMIN_TOTP_SECRET` from `.env.credentials.local`
 
    \
    **CMC API Tokens:**
 
-   DQYjVaDFbsFDcfVEoIZNbiiWLkoMOMSzoFyVKkFxwvribCrLiUqEwVVVZDurapQTiJEuGYcJVOvFnXSmcIpwXIJDzPGiidaQwMfbPGirmpKsVZrPQeHAgbABpyNjiDxSOzmGWvDpBEHdrnYceSxtkvYkhSGPOolWOUYdblCuzfnFCuwLtOklRZGsZRAEbBfeJPyrfnZCSMcGBRoVkMRXttYcJKEwOqzlKKKXWtyKKirfyOpSpTlnREUQlgwjGSB
+   `CMC_USERADMIN_API_TOKEN` from `.env.credentials.local`
 
    \
 3. REDHAT FREE SUBSCRIPTION ACCOUNT - This account is used to access the redhat repos.  The only caveat is that free subscriptions expire in 1 year and need be manually renewed.  The clients will need to be unregistered and re-registered again after the account is renewed.  The automation scripts automatically re-register every time the scripts are ran just for simplicity sake.
@@ -172,7 +175,7 @@ This account is specifically used for the CMC automation test environment.  The
    * Registration: 
 
    \
-   You may register the redhat vm during installation via the wizard or you can registrer via the following command: `subscription-manager register --username qatest.atvm@cirrusdata.com --password rh@CDSi101cdsi2012`
+   You may register the redhat vm during installation via the wizard or you can registrer via the following command: `subscription-manager register --username "$REDHAT_SUBSCRIPTION_USER" --password "$REDHAT_SUBSCRIPTION_PASSWORD"`
 
    \
    * Re-Register:
@@ -182,7 +185,7 @@ This account is specifically used for the CMC automation test environment.  The
    # subscription-manager remove --all
    # subscription-manager unregister
    # subscription-manager clean
-   # subscription-manager register --username qatest.atvm@cirrusdata.com --password rh@CDSi101cdsi2012
+   # subscription-manager register --username "$REDHAT_SUBSCRIPTION_USER" --password "$REDHAT_SUBSCRIPTION_PASSWORD"
    ```
 
    \
@@ -192,7 +195,7 @@ This account is specifically used for the CMC automation test environment.  The
    <https://developers.redhat.com/products/rhel/download#publicandprivatecloudreadyrhelimages>
 
    \
-   * REDHAT LOGIN: qatest.atvm@cirrusdata.com / rh@CDSi101cdsi2012 (alias email currently linked with anthony.wen@cirrusdata.com).  (Ask administrator to switch alias to whoever takes over this environment). 
+   * REDHAT LOGIN: `REDHAT_SUBSCRIPTION_USER` / `REDHAT_SUBSCRIPTION_PASSWORD` from `.env.credentials.local` (alias email currently linked with anthony.wen@cirrusdata.com).  (Ask administrator to switch alias to whoever takes over this environment). 
 
    \
    ==Note: EOL OSes might not be allowed to register.  In those cases, offline DVD repo needs to be used.==
@@ -265,7 +268,7 @@ Reserved static ip address for atvm environment:
 **__192.1168.3.176 - 179:__** used for atvm infrastructure
 
 
-1. 192.168.3.176: atvm-ovirtengine (ssh: root / ovirtcdsi2012; web portal: admin / ovirtcdsi2012) - sometimes after a reboot the kvm shows as down but it really isn't.  Seems like a glitch. Putting it in maintenance mode and activating it seemed to get working again for whatever reason.
+1. 192.168.3.176: atvm-ovirtengine (ssh: **OVIRT_ENGINE_SSH_USER** / **OVIRT_ENGINE_SSH_PASSWORD**; web portal: **OVIRT_ENGINE_WEB_USER** / **OVIRT_ENGINE_WEB_PASSWORD** from `.env.credentials.local`) - sometimes after a reboot the kvm shows as down but it really isn't.  Seems like a glitch. Putting it in maintenance mode and activating it seemed to get working again for whatever reason.
 
    
    1. AutomatedTest-VMBootImgComputeMigration-Gold (512 GB)
@@ -277,17 +280,17 @@ Reserved static ip address for atvm environment:
    7. CMC Helper: cmchelper-vm (default name)
    8. CMC Disk Image: cmchelper-vm
    9. 4 cpu, 8GB memory, 60GB disk space
-2. 192.168.3.177: atvm-kvm01 (ssh: root / ovirtcdsi2012)
+2. 192.168.3.177: atvm-kvm01 (ssh: **OVIRT_KVM01_USER** / **OVIRT_KVM01_PASSWORD** from `.env.credentials.local`)
 
    
    1. AutomatedTest-VMBootImgComputeMigration-Gold (512 GB)
    2. atvm-kvm01.cds.lab.com
    3. 8 cpu, 16GB memory, 70GB disk space
-3. 192.168.3.178: atvm-proxmox (ssh: root / promoxcdsi2012)
+3. 192.168.3.178: atvm-proxmox (ssh: **PROXMOX_USER** / **PROXMOX_PASSWORD** from `.env.credentials.local`)
 
    
    1. https://192.168.3.178:8006/
-   2. email used for alerts: qatestuser.atvm@cirrusdata.com (alias email currently linked with anthony.wen@cirrusdata.com)
+   2. email used for alerts: `PROXMOX_ALERT_EMAIL` from `.env.credentials.local` (alias email currently linked with anthony.wen@cirrusdata.com)
    3. hostname (FQDN): atvm-proxmox.cdsi.us.local
    4. AutomatedTest-VMBootImgComputeMigration-Gold (512 GB)
    5. 8 cpu, 16GB memory, 132GB disk space
@@ -303,7 +306,7 @@ VM's FC Passthrough Adapter Zoning to Pure 192.168.2.8  and Infinidat 192.168.2.
 
 **__Switch Information:__**
 
-Brocade 192.168.2.240 admin / password
+Brocade 192.168.2.240 (use the locally managed switch credential; do not store it in tracked docs)
 
 
 **__CDS1_ESX165 Passthrough Ports (==In-Use==):__**
@@ -780,8 +783,8 @@ VM's will be powered on and tested 1 at a time.  So the shared resources should
     
     1. 4 CPU, 8GB Memory, \[minimum disk size for specific distribution - as of 02/25/2025, atvm currently uses 16GB for linux, 40GB for windows but need to check distros and adjust accordingly\]
     2. Name the VM hostname (OS won't like "." and sometimes "_" so replace with "-"): "atvm\[#\]-\[os \]\[major\]-\[minor\]" (ex. atvm2-Ubuntu16-04)
-    3. Non-root user creation: cirrus / cdsi2012 (if required)
-    4. root account: root / cdsi2012
+    3. Non-root user creation: `ATVM_NONROOT_DEFAULT_USER` / `ATVM_NONROOT_DEFAULT_PASSWORD` from `.env.credentials.local` (if required)
+    4. root account: `ATVM_TARGET_USER` / `ATVM_TARGET_PASSWORD` from `.env.credentials.local`
     5. Install using minimal installation
     6. Set network as static with 192.168.3.191 / 255.255.252.0 \[broadcast\] / 192.168.0.1 \[gateway\]
  3. Assign SCSI Controller

atvm/docs/automation/guide.md

@@ -12,12 +12,12 @@ Run ATVM CMC automation tests on the designated automation VM without unintended
 ## ATVM Cypress Automation Controller Client
 - Hostname: `atvm-cypres-vm-1`
 - IP: `192.168.3.190`
-- Credentials: `root / atvmcdsi2012`
+- Credentials: source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_CONTROLLER_USER` plus `ATVM_CONTROLLER_PASSWORD`
 
 ## ATVM Target Host Default
 - Treat `192.168.3.191` as the default ATVM target host reference.
 - For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
-- For SSH to `192.168.3.191`, use default credentials `root / cdsi2012` unless the operator explicitly overrides them.
+- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly overrides them.
 
 ## Operating Constraints
 - Run only scripts/commands explicitly requested.

atvm/docs/setup/guide.md

@@ -12,7 +12,7 @@ Do not put dated run examples here.
 The setup flow performs a controlled bootstrap across supported Linux distributions:
 1. Validate target host identity using expected IP + expected hostname before any configuration.
 2. Fix repositories (especially CD/DVD media repo entries).
-3. On Ubuntu, configure root SSH password-login workflow (`root/cdsi2012`) for follow-on root operations.
+3. On Ubuntu, configure root SSH password-login workflow using `ATVM_TARGET_PASSWORD` for follow-on root operations.
 4. On Oracle Linux, set default boot kernel to non-UEK when available.
 5. Disable unattended auto-upgrades on Ubuntu.
 6. Remove specific storage-related packages and install base tooling.
@@ -27,10 +27,10 @@ The setup flow performs a controlled bootstrap across supported Linux distributi
 - Shell safety flags: `set -euo pipefail`
 - Logging: colorized console + plain text log file
 - Entry point: `main "$@"`
-- Default operator assumption for setup access: `root / cdsi2012` unless explicitly overridden.
+- Default operator assumption for setup access: source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless explicitly overridden.
 - When the operator refers to `192.168.3.191`, treat it as the default ATVM target host.
 - For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
-- For SSH to `192.168.3.191`, use `root / cdsi2012` unless the operator explicitly provides different credentials.
+- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly provides different credentials.
 
 ## Mandatory Identity Gate
 Setup must not start unless operator explicitly provides both values:
@@ -76,7 +76,7 @@ Rules:
 
 ### Ubuntu Root SSH Workflow
 - Ubuntu only.
-- Set root password `cdsi2012`, unlock root account.
+- Require `ATVM_TARGET_PASSWORD` in the environment, then set the root password to that value and unlock the root account.
 - Write `/etc/ssh/sshd_config.d/99-atvm-root-login.conf` enabling root + password auth.
 - Validate config and restart SSH service.
 
@@ -135,6 +135,7 @@ Required post-run validation:
 ## Preferred Execution Commands
 Direct client execution:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 sudo bash /home/cirrususer/atvm-setup-script.sh \
   --expected-ip <current-client-ip> \
   --expected-hostname <exact-hostname>
@@ -142,12 +143,14 @@ sudo bash /home/cirrususer/atvm-setup-script.sh \
 
 Controller run + collect:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 EXPECTED_IP_ARG=<current-client-ip> EXPECTED_HOSTNAME_ARG=<exact-hostname> \
 /home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh
 ```
 
 Controller collect-only after client run:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 /home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh --collect-after-complete
 ```
 

atvm/docs/setup/run-learnings.md

@@ -12,7 +12,7 @@ This file stores run-specific examples only when a run produced a new learning r
   - Final static IP: `192.168.3.191`
   - Hostname: `atvm-codextest-vm-1`
 - Learning:
-  - Root SSH password workflow (`root/cdsi2012`) and log copy/hash verification path are valid end-to-end.
+  - Root SSH password workflow backed by `ATVM_TARGET_PASSWORD` and the log copy/hash verification path are valid end-to-end.
   - Wrapper must enforce identity arguments for run-and-collect mode.
 - Action for future runs:
   - Require `EXPECTED_IP_ARG` and `EXPECTED_HOSTNAME_ARG` for wrapper run-and-collect.

atvm/inventory/accounts-and-credentials.md

@@ -1,62 +1,64 @@
 # ATVM Accounts And Credentials
 
 This file organizes the ATVM lab account and credential information that was preserved from the original long-form notes.
+All secret values have been moved to `/home/aw/code/cds/.env.credentials.local`.
+Use the variable names below instead of storing raw credentials in tracked files.
 
 ## CMC GCStage
 - URL:
-  - `https://ui.gcstage.cloud.nonprod.cirrusdata.com/`
+  - `CMC_GCSTAGE_URL`
 
 ## CMC ATVM Test Account
 - User:
-  - `qatest.atvm@cirrusdata.com`
+  - `CMC_TEST_USER`
 - Password:
-  - `fEMQ9N4KEfYyFnS`
+  - `CMC_TEST_PASSWORD`
 - 2FA registration code:
-  - `C7FIIZV6SGZ67XGATFN7YQHEJI6BHGPL`
+  - `CMC_TEST_TOTP_SECRET`
 - CMC API token:
-  - `lNSrdRkqJWJlxierQTcoIiZppmORigyZiXQsHhGiJtmnGKCGAJTwMpRsqKSLgKdSHTXDpYPtPyszDZTvOvGEoXuBZFdkTkxyvNTlSxYKLsBcEpTbRkRQkQppdwBhaUyauPZxolHmOTeZOVIAZCnyGBTQjVxsSaaJXwaguIgeFbYctONcCBhayNTruJOtYJGYbLBESrRkDMuHZBCpZoMeKgeNjifqdROMYhKCyUFhVhaOvFSWizFNlQZYRInscFw`
+  - `CIRRUS_API_TOKEN`
 - Xray location for failed tests:
   - `../cdc-e2e/cypress/cmcXray`
 
 ## CMC User-Administration Test Account
 - User:
-  - `qatestuser.atvm@cirrusdata.com`
+  - `CMC_USERADMIN_TEST_USER`
 - Password:
-  - `fEMQ9N4KEfYyFnS#1`
+  - `CMC_USERADMIN_TEST_PASSWORD`
 - 2FA registration code:
-  - `WQ6F6NIDSIY57BLHMTTVBMIXZI44G5F7`
+  - `CMC_USERADMIN_TOTP_SECRET`
 - CMC API token:
-  - `DQYjVaDFbsFDcfVEoIZNbiiWLkoMOMSzoFyVKkFxwvribCrLiUqEwVVVZDurapQTiJEuGYcJVOvFnXSmcIpwXIJDzPGiidaQwMfbPGirmpKsVZrPQeHAgbABpyNjiDxSOzmGWvDpBEHdrnYceSxtkvYkhSGPOolWOUYdblCuzfnFCuwLtOklRZGsZRAEbBfeJPyrfnZCSMcGBRoVkMRXttYcJKEwOqzlKKKXWtyKKirfyOpSpTlnREUQlgwjGSB`
+  - `CMC_USERADMIN_API_TOKEN`
 
 ## Red Hat Free Subscription Account
 - User:
-  - `qatest.atvm@cirrusdata.com`
+  - `REDHAT_SUBSCRIPTION_USER`
 - Password:
-  - `rh@CDSi101cdsi2012`
+  - `REDHAT_SUBSCRIPTION_PASSWORD`
 - Registration command:
-  - `subscription-manager register --username qatest.atvm@cirrusdata.com --password rh@CDSi101cdsi2012`
+  - `subscription-manager register --username "$REDHAT_SUBSCRIPTION_USER" --password "$REDHAT_SUBSCRIPTION_PASSWORD"`
 - Re-register sequence:
 ```none
 # subscription-manager remove --all
 # subscription-manager unregister
 # subscription-manager clean
-# subscription-manager register --username qatest.atvm@cirrusdata.com --password rh@CDSi101cdsi2012
+# subscription-manager register --username "$REDHAT_SUBSCRIPTION_USER" --password "$REDHAT_SUBSCRIPTION_PASSWORD"
 ```
 - Renewal link:
   - `https://developers.redhat.com/products/rhel/download#publicandprivatecloudreadyrhelimages`
 
 ## Related Host Credentials
 - ATVM controller host:
-  - `root / atvmcdsi2012`
-  - `cypressuser / atvmcypress`
+  - `ATVM_CONTROLLER_USER / ATVM_CONTROLLER_PASSWORD`
+  - `ATVM_CONTROLLER_ALT_USER / ATVM_CONTROLLER_ALT_PASSWORD`
 - Linux repository VM:
-  - `root / cdsi2012`
+  - `ATVM_REPO_USER / ATVM_REPO_PASSWORD`
 - vCenter `192.168.0.201`:
-  - `administrator@qalab.cdsi.local / CDSi101!`
+  - `VCENTER_USER / VCENTER_PASSWORD`
 - ESXi `192.168.1.165`:
-  - `root / CDSi101!`
+  - `ESXI_HOST_1_USER / ESXI_HOST_1_PASSWORD`
 - ESXi `192.168.1.166`:
-  - `root / CDSi101!`
+  - `ESXI_HOST_2_USER / ESXI_HOST_2_PASSWORD`
 
 ## Preserved Source
 - Full original notes remain in:

atvm/inventory/infrastructure.md

@@ -1,28 +1,29 @@
 # ATVM Infrastructure
 
 This file organizes the main infrastructure reference that was previously embedded in the long-form ATVM notes.
+Tracked docs should reference `/home/aw/code/cds/.env.credentials.local` for secret values instead of storing them inline.
 
 ## Storage / Appliance
 - Primary DGS Phoenix Server: `192.168.1.172`
 - Replica DGS Phoenix Server: `192.168.1.89`
 - Primary DGS web login:
-  - `admin / cdsi2012DGS172`
+  - `DGS_PRIMARY_USER / DGS_PRIMARY_PASSWORD`
 - The preserved detailed storage and appliance notes remain in:
   - `archive/imported-notes/cypress-automation-for-cmc.md`
 
 ## VMware
 - Active vCenter Server Appliance: `192.168.0.201`
 - vCenter login:
-  - `administrator@qalab.cdsi.local / CDSi101!`
+  - `VCENTER_USER / VCENTER_PASSWORD`
 - Primary ESXi hosts:
   - `192.168.1.165`
   - `192.168.1.166`
 - ESXi `192.168.1.165`:
-  - SSH: `root / CDSi101!`
-  - IPMI: `admin / cdsi2012`
+  - SSH: `ESXI_HOST_1_USER / ESXI_HOST_1_PASSWORD`
+  - IPMI: `ESXI_HOST_1_IPMI_USER / ESXI_HOST_1_IPMI_PASSWORD`
 - ESXi `192.168.1.166`:
-  - SSH: `root / CDSi101!`
-  - IPMI: `admin / cdsi2012`
+  - SSH: `ESXI_HOST_2_USER / ESXI_HOST_2_PASSWORD`
+  - IPMI: `ESXI_HOST_2_IPMI_USER / ESXI_HOST_2_IPMI_PASSWORD`
 - Legacy VMware environment details are preserved in the archived notes.
 
 ## ATVM Controller Host
@@ -32,8 +33,8 @@ This file organizes the main infrastructure reference that was previously embedd
 - Controller IP:
   - `192.168.3.190`
 - Controller credentials:
-  - `root / atvmcdsi2012`
-  - `cypressuser / atvmcypress`
+  - `ATVM_CONTROLLER_USER / ATVM_CONTROLLER_PASSWORD`
+  - `ATVM_CONTROLLER_ALT_USER / ATVM_CONTROLLER_ALT_PASSWORD`
 - Current noted controller variants:
   - `atvm-cypress-vm`
   - `atvm-cypress-vm-1`
@@ -44,7 +45,7 @@ This file organizes the main infrastructure reference that was previously embedd
 - Repository IP:
   - `192.168.3.199`
 - Repository credentials:
-  - `root / cdsi2012`
+  - `ATVM_REPO_USER / ATVM_REPO_PASSWORD`
 - Repository content families include:
   - RedHat
   - Debian

atvm/scripts/atvm-setup-script.sh

@@ -16,6 +16,8 @@
 
 set -euo pipefail
 
+ATVM_ROOT_SSH_PASSWORD="${ATVM_TARGET_PASSWORD:-}"
+
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
@@ -432,7 +434,12 @@ configure_ubuntu_root_ssh_access() {
 
     print_warning "Ubuntu-specific workflow: configuring root account for SSH password login"
 
-    echo "root:cdsi2012" | ${SUDO_CMD} chpasswd
+    if [[ -z "$ATVM_ROOT_SSH_PASSWORD" ]]; then
+        print_error "ATVM_TARGET_PASSWORD must be set before running the Ubuntu root SSH workflow"
+        exit 1
+    fi
+
+    echo "root:${ATVM_ROOT_SSH_PASSWORD}" | ${SUDO_CMD} chpasswd
     ${SUDO_CMD} passwd -u root >/dev/null 2>&1 || true
     print_info "Root password set to configured workflow value"
 
@@ -464,7 +471,7 @@ EOF"
 
     ROOT_SSH_CONFIGURED=true
     print_info "Root SSH/password workflow configured for Ubuntu"
-    print_info "Next operator step: reconnect as root with password cdsi2012"
+    print_info "Next operator step: reconnect as root using the ATVM_TARGET_PASSWORD value"
 }
 
 #==============================================================================
@@ -1453,7 +1460,7 @@ print_final_summary() {
 "
             summary_output+="    * PasswordAuthentication enabled
 "
-            summary_output+="    * Reconnect as root/cdsi2012 for root-only workflow
+            summary_output+="    * Reconnect as root using the ATVM_TARGET_PASSWORD value for root-only workflow
 "
         else
             summary_output+="[SKIP] Step 2: Ubuntu Root SSH Access Configuration
@@ -1697,7 +1704,7 @@ After hash match is confirmed on controller:
             echo "    * Root password set to workflow value"
             echo "    * PermitRootLogin enabled"
             echo "    * PasswordAuthentication enabled"
-            echo "    * Reconnect as root/cdsi2012 for root-only workflow"
+            echo "    * Reconnect as root using the ATVM_TARGET_PASSWORD value for root-only workflow"
         else
             echo -e "${YELLOW}[SKIP] Step 2: Ubuntu Root SSH Access Configuration${NC}"
             echo "    * Not applied"

atvm/scripts/run-atvm-setup-and-collect-log.sh

@@ -2,9 +2,18 @@
 
 set -euo pipefail
 
+WORKSPACE_ROOT="${WORKSPACE_ROOT:-/home/aw/code/cds}"
+ENV_CREDENTIALS_FILE="${ENV_CREDENTIALS_FILE:-$WORKSPACE_ROOT/.env.credentials.local}"
+
+if [[ -f "$ENV_CREDENTIALS_FILE" ]]; then
+    # Load local-only credential defaults for controller-side SSH and remote setup.
+    # shellcheck disable=SC1090
+    source "$ENV_CREDENTIALS_FILE"
+fi
+
 REMOTE_IP_PRIMARY="${REMOTE_IP_PRIMARY:-192.168.0.121}"
 REMOTE_IP_SECONDARY="${REMOTE_IP_SECONDARY:-192.168.3.191}"
-REMOTE_USER="${REMOTE_USER:-root}"
+REMOTE_USER="${REMOTE_USER:-${ATVM_TARGET_USER:-root}}"
 PROJECT_DIR="${PROJECT_DIR:-/home/aw/code/atvm}"
 LOCAL_LOG_DIR="${LOCAL_LOG_DIR:-$PROJECT_DIR/log}"
 LOCAL_SETUP_SCRIPT="${LOCAL_SETUP_SCRIPT:-$PROJECT_DIR/atvm_setup_script.sh}"
@@ -14,6 +23,7 @@ WAIT_TIMEOUT_SECONDS="${WAIT_TIMEOUT_SECONDS:-600}"
 MODE="${1:-run-and-collect}"
 EXPECTED_IP_ARG="${EXPECTED_IP_ARG:-}"
 EXPECTED_HOSTNAME_ARG="${EXPECTED_HOSTNAME_ARG:-}"
+ATVM_PASSWORD="${ATVM_PASSWORD:-${ATVM_TARGET_PASSWORD:-}}"
 
 SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5)
 
@@ -157,7 +167,7 @@ if [[ "$MODE" == "run-and-collect" ]]; then
 
     echo "Running remote setup script on ${INITIAL_HOST} (disconnect is expected during IP/reboot steps)"
     set +e
-    run_ssh "$INITIAL_HOST" "chmod +x '$REMOTE_SETUP_SCRIPT' && bash '$REMOTE_SETUP_SCRIPT' --expected-ip '$EXPECTED_IP_ARG' --expected-hostname '$EXPECTED_HOSTNAME_ARG'"
+    run_ssh "$INITIAL_HOST" "chmod +x '$REMOTE_SETUP_SCRIPT' && ATVM_TARGET_PASSWORD='${ATVM_TARGET_PASSWORD:-}' bash '$REMOTE_SETUP_SCRIPT' --expected-ip '$EXPECTED_IP_ARG' --expected-hostname '$EXPECTED_HOSTNAME_ARG'"
     run_status=$?
     set -e
     if (( run_status != 0 )); then

cdsmcp/artifacts/logs/atvm-codextest-vm-03-18-2026.log

@@ -24,7 +24,7 @@ Disk Layout
 - Destination mountpoint after completion: /mnt/destination
 
 CMC Reinstall
-- Registration code: BZHKABCODZLIOK6RTAJ4
+- Registration code: CMC_GCSTAGE_REGISTRATION_CODE from /home/aw/code/cds/.env.credentials.local
 - Endpoint: portal.gcstage.cloud.nonprod.cirrusdata.com:443
 - Result: successful
 

cdsmcp/docs/cmc-install-reference.md

@@ -4,18 +4,19 @@ This file contains the CMC install, uninstall, and reinstall fallback reference
 
 ## Default Project Rule
 - Default project: `Skidamarink`
-- Default registration code: `BZHKABCODZLIOK6RTAJ4`
+- Source `/home/aw/code/cds/.env.credentials.local` and use `CMC_GCSTAGE_REGISTRATION_CODE`
 - Default endpoint: `portal.gcstage.cloud.nonprod.cirrusdata.com:443`
 - Use a different project code only when the user explicitly requests it in that run.
 
 ## Skidamarink Install (Linux)
 ```bash
-curl https://get.cirrusdata.cloud/install-cmc | bash -s -- -rgc BZHKABCODZLIOK6RTAJ4 -gce portal.gcstage.cloud.nonprod.cirrusdata.com:443 -pkg-mode PRE_RELEASE
+source /home/aw/code/cds/.env.credentials.local
+curl https://get.cirrusdata.cloud/install-cmc | bash -s -- -rgc "$CMC_GCSTAGE_REGISTRATION_CODE" -gce portal.gcstage.cloud.nonprod.cirrusdata.com:443 -pkg-mode PRE_RELEASE
 ```
 
 ## Skidamarink Install (Windows)
 ```powershell
-iex "& { $(irm https://get.cirrusdata.cloud/install-cmc-win) } -rgc BZHKABCODZLIOK6RTAJ4 -gce portal.gcstage.cloud.nonprod.cirrusdata.com:443 -pkg-mode PRE_RELEASE"
+iex "& { $(irm https://get.cirrusdata.cloud/install-cmc-win) } -rgc $env:CMC_GCSTAGE_REGISTRATION_CODE -gce portal.gcstage.cloud.nonprod.cirrusdata.com:443 -pkg-mode PRE_RELEASE"
 ```
 
 ## Uninstall (Linux)

cdsmcp/docs/vm-lookup-and-assignment.md

@@ -47,8 +47,9 @@ This file covers vCenter VM lookup responses and the workflow for assigning exis
 - Never perform the assignment step until the operator explicitly approves after seeing that summary.
 
 ## Common VM Credentials
-- Username: `root`
-- Password: `cdsi2012`
+- Source `/home/aw/code/cds/.env.credentials.local`
+- Username: `ATVM_TARGET_USER`
+- Password: `ATVM_TARGET_PASSWORD`
 
 ## Status Output Format (Power-Off/Revert/Power-On)
 - `VM [vm name] was poweredOn, so I powered it off` (or `already poweredOff`)

cdsmcp/docs/vmware-migrateops-guide.md

@@ -8,8 +8,7 @@ This file is for workflow guidance only. Do not add specific run examples here.
 
 ## vCenter Access
 - Address: `192.168.0.201`
-- Username: `administrator@qalab.cdsi.local`
-- Password: `CDSi101!`
+- Source `/home/aw/code/cds/.env.credentials.local` and use `VCENTER_USER` plus `VCENTER_PASSWORD`
 - Standard CLI path: `/home/aw/.local/bin/govc`
 - Use only this standard vCenter login for vCenter actions unless explicitly instructed otherwise.
 - Do not use `192.168.3.190` for vCenter actions; that machine is reserved for Cypress ATVM automation.
@@ -23,7 +22,7 @@ This file is for workflow guidance only. Do not add specific run examples here.
 - Any other VM IP must be obtained live from vCenter for that run only.
 - Do not carry forward ad-hoc VM IPs from previous runs in runbooks.
 - When the operator refers to `192.168.3.191`, assume ATVM target SSH access should ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
-- When the operator refers to `192.168.3.191`, assume default SSH credentials `root / cdsi2012` unless the operator explicitly overrides them.
+- When the operator refers to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly overrides them.
 
 ## Related References
 - VM lookup, datastore reporting, and FC/disk assignment: